Hades Ransomware

Hades ransomware is a variant of the WastedLocker malware, which is designed to exploit and damage computers or devices. It was observed by CTU researchers being used in conjunction with Advanced Port Scanner, MegaSync, and Malleable C2 tools in various cyberattack incidents. These tools have been linked to other ransomware operations such as Snatch, Pysa, Nefilim, Darkside, and Defray. The Hades ransomware operates by infecting systems through suspicious downloads, emails, or websites, often without the user's knowledge, and then encrypting files, disrupting operations, or stealing personal information. The operators of Hades ransomware employ distinctive tactics and infrastructure, as reported on June 15, 2021. One significant change made by the group known as INDRIK SPIDER to the WastedLocker-derived Hades ransomware variant is that it now stores key information within each encrypted file rather than in the ransom note. This modification makes it harder for victims to recover their data without paying the ransom. The ransomware also leaves a ransom note and directs victims to a Tor site for payment processing. Despite these changes, Hades ransomware shares most of its functionality with the original WastedLocker. The ISFB-inspired static configuration, multi-staged persistence/installation process, file/directory enumeration, and encryption functionality remain largely unchanged. This continuity suggests that while the Hades variant has evolved in certain respects, it still relies heavily on the successful components of its predecessor.